mirror of
https://github.com/ossf/scorecard.git
synced 2024-09-17 11:57:12 +03:00
✨ Add policy file (#1002)
* draft * draft 2 * add tests * check names * fixes * fix * comments * fix * test * remove risk * license * linter * comments
This commit is contained in:
parent
90332a9cb9
commit
5d6a7cd20d
66
cmd/root.go
66
cmd/root.go
@ -36,6 +36,7 @@ import (
|
|||||||
docs "github.com/ossf/scorecard/v2/docs/checks"
|
docs "github.com/ossf/scorecard/v2/docs/checks"
|
||||||
sce "github.com/ossf/scorecard/v2/errors"
|
sce "github.com/ossf/scorecard/v2/errors"
|
||||||
"github.com/ossf/scorecard/v2/pkg"
|
"github.com/ossf/scorecard/v2/pkg"
|
||||||
|
spol "github.com/ossf/scorecard/v2/policy"
|
||||||
"github.com/ossf/scorecard/v2/repos"
|
"github.com/ossf/scorecard/v2/repos"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -50,6 +51,7 @@ var (
|
|||||||
pypi string
|
pypi string
|
||||||
rubygems string
|
rubygems string
|
||||||
showDetails bool
|
showDetails bool
|
||||||
|
policyFile string
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
@ -59,17 +61,61 @@ const (
|
|||||||
formatDefault = "default"
|
formatDefault = "default"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
scorecardLong = "A program that shows security scorecard for an open source software."
|
||||||
|
scorecardUse = `./scorecard --repo=<repo_url> [--checks=check1,...] [--show-details] [--policy=file]
|
||||||
|
or ./scorecard --{npm,pypi,rubgems}=<package_name> [--checks=check1,...] [--show-details] [--policy=file]`
|
||||||
|
scorecardShort = "Security Scorecards"
|
||||||
|
)
|
||||||
|
|
||||||
|
func readPolicy() (*spol.ScorecardPolicy, error) {
|
||||||
|
if policyFile != "" {
|
||||||
|
data, err := os.ReadFile(policyFile)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("os.ReadFile: %w", err)
|
||||||
|
}
|
||||||
|
sp, err := spol.ParseFromYAML(data)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("spol.ParseFromYAML: %w", err)
|
||||||
|
}
|
||||||
|
return sp, nil
|
||||||
|
}
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func checksHavePolicies(sp *spol.ScorecardPolicy, enabledChecks checker.CheckNameToFnMap) bool {
|
||||||
|
for checkName := range enabledChecks {
|
||||||
|
_, exists := sp.Policies[checkName]
|
||||||
|
if !exists {
|
||||||
|
log.Printf("check %s has no policy declared", checkName)
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
var rootCmd = &cobra.Command{
|
var rootCmd = &cobra.Command{
|
||||||
Use: `./scorecard --repo=<repo_url> [--checks=check1,...] [--show-details]
|
Use: scorecardUse,
|
||||||
or ./scorecard --{npm,pypi,rubgems}=<package_name> [--checks=check1,...] [--show-details]`,
|
Short: scorecardShort,
|
||||||
Short: "Security Scorecards",
|
Long: scorecardLong,
|
||||||
Long: "A program that shows security scorecard for an open source software.",
|
|
||||||
Run: func(cmd *cobra.Command, args []string) {
|
Run: func(cmd *cobra.Command, args []string) {
|
||||||
// UPGRADEv3: remove.
|
// UPGRADEv3: remove.
|
||||||
var v3 bool
|
var v3 bool
|
||||||
if _, v3 = os.LookupEnv("SCORECARD_V3"); v3 {
|
if _, v3 = os.LookupEnv("SCORECARD_V3"); v3 {
|
||||||
fmt.Printf("**** Using SCORECARD_V3 code ***** \n\n")
|
fmt.Printf("**** Using SCORECARD_V3 code ***** \n\n")
|
||||||
}
|
}
|
||||||
|
if format == formatSarif && !v3 {
|
||||||
|
log.Fatal("sarif not supported yet")
|
||||||
|
}
|
||||||
|
|
||||||
|
if policyFile != "" && !v3 {
|
||||||
|
log.Fatal("policy not supported yet")
|
||||||
|
}
|
||||||
|
|
||||||
|
policy, err := readPolicy()
|
||||||
|
if err != nil {
|
||||||
|
log.Fatalf("readPolicy: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
if npm != "" {
|
if npm != "" {
|
||||||
if git, err := fetchGitRepositoryFromNPM(npm); err != nil {
|
if git, err := fetchGitRepositoryFromNPM(npm); err != nil {
|
||||||
@ -120,6 +166,13 @@ or ./scorecard --{npm,pypi,rubgems}=<package_name> [--checks=check1,...] [--show
|
|||||||
fmt.Fprintf(os.Stderr, "Starting [%s]\n", checkName)
|
fmt.Fprintf(os.Stderr, "Starting [%s]\n", checkName)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// If a policy was passed as argument, ensure all checks
|
||||||
|
// to run have a corresponding policy.
|
||||||
|
if policy != nil && !checksHavePolicies(policy, enabledChecks) {
|
||||||
|
log.Fatal("checks don't have policies")
|
||||||
|
}
|
||||||
|
|
||||||
ctx := context.Background()
|
ctx := context.Background()
|
||||||
|
|
||||||
logger, err := githubrepo.NewLogger(*logLevel)
|
logger, err := githubrepo.NewLogger(*logLevel)
|
||||||
@ -151,6 +204,7 @@ or ./scorecard --{npm,pypi,rubgems}=<package_name> [--checks=check1,...] [--show
|
|||||||
}
|
}
|
||||||
|
|
||||||
// UPGRADEv2: support CSV/JSON.
|
// UPGRADEv2: support CSV/JSON.
|
||||||
|
// TODO: move the doc inside Scorecard structure.
|
||||||
checkDocs, e := docs.Read()
|
checkDocs, e := docs.Read()
|
||||||
if e != nil {
|
if e != nil {
|
||||||
log.Fatalf("cannot read yaml file: %v", err)
|
log.Fatalf("cannot read yaml file: %v", err)
|
||||||
@ -160,9 +214,6 @@ or ./scorecard --{npm,pypi,rubgems}=<package_name> [--checks=check1,...] [--show
|
|||||||
case formatDefault:
|
case formatDefault:
|
||||||
err = repoResult.AsString(showDetails, *logLevel, checkDocs, os.Stdout)
|
err = repoResult.AsString(showDetails, *logLevel, checkDocs, os.Stdout)
|
||||||
case formatSarif:
|
case formatSarif:
|
||||||
if !v3 {
|
|
||||||
log.Fatalf("sarif not supported yet")
|
|
||||||
}
|
|
||||||
// TODO: support config files and update checker.MaxResultScore.
|
// TODO: support config files and update checker.MaxResultScore.
|
||||||
err = repoResult.AsSARIF(showDetails, *logLevel, os.Stdout, checkDocs, checker.MaxResultScore)
|
err = repoResult.AsSARIF(showDetails, *logLevel, os.Stdout, checkDocs, checker.MaxResultScore)
|
||||||
case formatCSV:
|
case formatCSV:
|
||||||
@ -325,4 +376,5 @@ func init() {
|
|||||||
}
|
}
|
||||||
rootCmd.Flags().StringSliceVar(&checksToRun, "checks", []string{},
|
rootCmd.Flags().StringSliceVar(&checksToRun, "checks", []string{},
|
||||||
fmt.Sprintf("Checks to run. Possible values are: %s", strings.Join(checkNames, ",")))
|
fmt.Sprintf("Checks to run. Possible values are: %s", strings.Join(checkNames, ",")))
|
||||||
|
rootCmd.Flags().StringVar(&policyFile, "policy", "", "policy to enforce")
|
||||||
}
|
}
|
||||||
|
114
policy/policy.go
Normal file
114
policy/policy.go
Normal file
@ -0,0 +1,114 @@
|
|||||||
|
// Copyright 2021 Security Scorecard Authors
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
package policy
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
|
||||||
|
"gopkg.in/yaml.v3"
|
||||||
|
|
||||||
|
"github.com/ossf/scorecard/v2/checks"
|
||||||
|
sce "github.com/ossf/scorecard/v2/errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
errInvalidVersion = errors.New("invalid version")
|
||||||
|
errInvalidCheck = errors.New("invalid check name")
|
||||||
|
errInvalidScore = errors.New("invalid score")
|
||||||
|
errInvalidMode = errors.New("invalid mode")
|
||||||
|
errRepeatingCheck = errors.New("check has multiple definitions")
|
||||||
|
)
|
||||||
|
|
||||||
|
var allowedVersions = map[int]bool{1: true}
|
||||||
|
|
||||||
|
var modes = map[string]bool{"enforced": true, "disabled": true}
|
||||||
|
|
||||||
|
type checkPolicy struct {
|
||||||
|
Mode string `yaml:"mode"`
|
||||||
|
Score int `yaml:"score"`
|
||||||
|
}
|
||||||
|
|
||||||
|
type scorecardPolicy struct {
|
||||||
|
Policies map[string]checkPolicy `yaml:"policies"`
|
||||||
|
Version int `yaml:"version"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func isAllowedVersion(v int) bool {
|
||||||
|
_, exists := allowedVersions[v]
|
||||||
|
return exists
|
||||||
|
}
|
||||||
|
|
||||||
|
func modeToProto(m string) CheckPolicy_Mode {
|
||||||
|
switch m {
|
||||||
|
default:
|
||||||
|
panic("will never happen")
|
||||||
|
case "enforced":
|
||||||
|
return CheckPolicy_ENFORCED
|
||||||
|
case "disabled":
|
||||||
|
return CheckPolicy_DISABLED
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// ParseFromYAML parses a policy file and returns
|
||||||
|
// a scorecardPolicy.
|
||||||
|
func ParseFromYAML(b []byte) (*ScorecardPolicy, error) {
|
||||||
|
// Internal golang for unmarshalling the policy file.
|
||||||
|
sp := scorecardPolicy{}
|
||||||
|
// Protobuf-defined policy (policy.proto and policy.pb.go).
|
||||||
|
retPolicy := ScorecardPolicy{Policies: map[string]*CheckPolicy{}}
|
||||||
|
|
||||||
|
err := yaml.Unmarshal(b, &sp)
|
||||||
|
if err != nil {
|
||||||
|
return &retPolicy, sce.WithMessage(sce.ErrScorecardInternal, err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
if !isAllowedVersion(sp.Version) {
|
||||||
|
return &retPolicy, sce.WithMessage(sce.ErrScorecardInternal, errInvalidVersion.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
// Set version.
|
||||||
|
retPolicy.Version = int32(sp.Version)
|
||||||
|
|
||||||
|
checksFound := make(map[string]bool)
|
||||||
|
for n, p := range sp.Policies {
|
||||||
|
if _, exists := checks.AllChecks[n]; !exists {
|
||||||
|
return &retPolicy, sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("%v: %v", errInvalidCheck.Error(), n))
|
||||||
|
}
|
||||||
|
|
||||||
|
_, exists := modes[p.Mode]
|
||||||
|
if !exists {
|
||||||
|
return &retPolicy, sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("%v: %v", errInvalidMode.Error(), p.Mode))
|
||||||
|
}
|
||||||
|
|
||||||
|
if p.Score < 0 || p.Score > 10 {
|
||||||
|
return &retPolicy, sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("%v: %v", errInvalidScore.Error(), p.Score))
|
||||||
|
}
|
||||||
|
|
||||||
|
_, exists = checksFound[n]
|
||||||
|
if exists {
|
||||||
|
return &retPolicy, sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("%v: %v", errRepeatingCheck.Error(), n))
|
||||||
|
}
|
||||||
|
checksFound[n] = true
|
||||||
|
|
||||||
|
// Add an entry to the policy.
|
||||||
|
retPolicy.Policies[n] = &CheckPolicy{
|
||||||
|
Score: int32(p.Score),
|
||||||
|
Mode: modeToProto(p.Mode),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return &retPolicy, nil
|
||||||
|
}
|
308
policy/policy.pb.go
Normal file
308
policy/policy.pb.go
Normal file
@ -0,0 +1,308 @@
|
|||||||
|
// Copyright 2021 Security Scorecard Authors
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
// Code generated by protoc-gen-go. DO NOT EDIT.
|
||||||
|
// versions:
|
||||||
|
// protoc-gen-go v1.27.1
|
||||||
|
// protoc v3.12.4
|
||||||
|
// source: policy.proto
|
||||||
|
|
||||||
|
package policy
|
||||||
|
|
||||||
|
import (
|
||||||
|
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
|
||||||
|
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
|
||||||
|
reflect "reflect"
|
||||||
|
sync "sync"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
// Verify that this generated code is sufficiently up-to-date.
|
||||||
|
_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
|
||||||
|
// Verify that runtime/protoimpl is sufficiently up-to-date.
|
||||||
|
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
|
||||||
|
)
|
||||||
|
|
||||||
|
// Mode definition.
|
||||||
|
type CheckPolicy_Mode int32
|
||||||
|
|
||||||
|
const (
|
||||||
|
CheckPolicy_DISABLED CheckPolicy_Mode = 0
|
||||||
|
CheckPolicy_ENFORCED CheckPolicy_Mode = 1
|
||||||
|
)
|
||||||
|
|
||||||
|
// Enum value maps for CheckPolicy_Mode.
|
||||||
|
var (
|
||||||
|
CheckPolicy_Mode_name = map[int32]string{
|
||||||
|
0: "DISABLED",
|
||||||
|
1: "ENFORCED",
|
||||||
|
}
|
||||||
|
CheckPolicy_Mode_value = map[string]int32{
|
||||||
|
"DISABLED": 0,
|
||||||
|
"ENFORCED": 1,
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
func (x CheckPolicy_Mode) Enum() *CheckPolicy_Mode {
|
||||||
|
p := new(CheckPolicy_Mode)
|
||||||
|
*p = x
|
||||||
|
return p
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x CheckPolicy_Mode) String() string {
|
||||||
|
return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
|
||||||
|
}
|
||||||
|
|
||||||
|
func (CheckPolicy_Mode) Descriptor() protoreflect.EnumDescriptor {
|
||||||
|
return file_policy_proto_enumTypes[0].Descriptor()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (CheckPolicy_Mode) Type() protoreflect.EnumType {
|
||||||
|
return &file_policy_proto_enumTypes[0]
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x CheckPolicy_Mode) Number() protoreflect.EnumNumber {
|
||||||
|
return protoreflect.EnumNumber(x)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Deprecated: Use CheckPolicy_Mode.Descriptor instead.
|
||||||
|
func (CheckPolicy_Mode) EnumDescriptor() ([]byte, []int) {
|
||||||
|
return file_policy_proto_rawDescGZIP(), []int{0, 0}
|
||||||
|
}
|
||||||
|
|
||||||
|
type CheckPolicy struct {
|
||||||
|
state protoimpl.MessageState
|
||||||
|
sizeCache protoimpl.SizeCache
|
||||||
|
unknownFields protoimpl.UnknownFields
|
||||||
|
|
||||||
|
Mode CheckPolicy_Mode `protobuf:"varint,1,opt,name=mode,proto3,enum=ossf.scorecard.policy.CheckPolicy_Mode" json:"mode,omitempty"`
|
||||||
|
Score int32 `protobuf:"zigzag32,2,opt,name=score,proto3" json:"score,omitempty"` // TODO: add Risk.
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *CheckPolicy) Reset() {
|
||||||
|
*x = CheckPolicy{}
|
||||||
|
if protoimpl.UnsafeEnabled {
|
||||||
|
mi := &file_policy_proto_msgTypes[0]
|
||||||
|
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||||
|
ms.StoreMessageInfo(mi)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *CheckPolicy) String() string {
|
||||||
|
return protoimpl.X.MessageStringOf(x)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (*CheckPolicy) ProtoMessage() {}
|
||||||
|
|
||||||
|
func (x *CheckPolicy) ProtoReflect() protoreflect.Message {
|
||||||
|
mi := &file_policy_proto_msgTypes[0]
|
||||||
|
if protoimpl.UnsafeEnabled && x != nil {
|
||||||
|
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||||
|
if ms.LoadMessageInfo() == nil {
|
||||||
|
ms.StoreMessageInfo(mi)
|
||||||
|
}
|
||||||
|
return ms
|
||||||
|
}
|
||||||
|
return mi.MessageOf(x)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Deprecated: Use CheckPolicy.ProtoReflect.Descriptor instead.
|
||||||
|
func (*CheckPolicy) Descriptor() ([]byte, []int) {
|
||||||
|
return file_policy_proto_rawDescGZIP(), []int{0}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *CheckPolicy) GetMode() CheckPolicy_Mode {
|
||||||
|
if x != nil {
|
||||||
|
return x.Mode
|
||||||
|
}
|
||||||
|
return CheckPolicy_DISABLED
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *CheckPolicy) GetScore() int32 {
|
||||||
|
if x != nil {
|
||||||
|
return x.Score
|
||||||
|
}
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
type ScorecardPolicy struct {
|
||||||
|
state protoimpl.MessageState
|
||||||
|
sizeCache protoimpl.SizeCache
|
||||||
|
unknownFields protoimpl.UnknownFields
|
||||||
|
|
||||||
|
Version int32 `protobuf:"varint,1,opt,name=version,proto3" json:"version,omitempty"`
|
||||||
|
Policies map[string]*CheckPolicy `protobuf:"bytes,2,rep,name=policies,proto3" json:"policies,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *ScorecardPolicy) Reset() {
|
||||||
|
*x = ScorecardPolicy{}
|
||||||
|
if protoimpl.UnsafeEnabled {
|
||||||
|
mi := &file_policy_proto_msgTypes[1]
|
||||||
|
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||||
|
ms.StoreMessageInfo(mi)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *ScorecardPolicy) String() string {
|
||||||
|
return protoimpl.X.MessageStringOf(x)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (*ScorecardPolicy) ProtoMessage() {}
|
||||||
|
|
||||||
|
func (x *ScorecardPolicy) ProtoReflect() protoreflect.Message {
|
||||||
|
mi := &file_policy_proto_msgTypes[1]
|
||||||
|
if protoimpl.UnsafeEnabled && x != nil {
|
||||||
|
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
|
||||||
|
if ms.LoadMessageInfo() == nil {
|
||||||
|
ms.StoreMessageInfo(mi)
|
||||||
|
}
|
||||||
|
return ms
|
||||||
|
}
|
||||||
|
return mi.MessageOf(x)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Deprecated: Use ScorecardPolicy.ProtoReflect.Descriptor instead.
|
||||||
|
func (*ScorecardPolicy) Descriptor() ([]byte, []int) {
|
||||||
|
return file_policy_proto_rawDescGZIP(), []int{1}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *ScorecardPolicy) GetVersion() int32 {
|
||||||
|
if x != nil {
|
||||||
|
return x.Version
|
||||||
|
}
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
func (x *ScorecardPolicy) GetPolicies() map[string]*CheckPolicy {
|
||||||
|
if x != nil {
|
||||||
|
return x.Policies
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
var File_policy_proto protoreflect.FileDescriptor
|
||||||
|
|
||||||
|
var file_policy_proto_rawDesc = []byte{
|
||||||
|
0x0a, 0x0c, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x15,
|
||||||
|
0x6f, 0x73, 0x73, 0x66, 0x2e, 0x73, 0x63, 0x6f, 0x72, 0x65, 0x63, 0x61, 0x72, 0x64, 0x2e, 0x70,
|
||||||
|
0x6f, 0x6c, 0x69, 0x63, 0x79, 0x22, 0x84, 0x01, 0x0a, 0x0b, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x50,
|
||||||
|
0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x3b, 0x0a, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20,
|
||||||
|
0x01, 0x28, 0x0e, 0x32, 0x27, 0x2e, 0x6f, 0x73, 0x73, 0x66, 0x2e, 0x73, 0x63, 0x6f, 0x72, 0x65,
|
||||||
|
0x63, 0x61, 0x72, 0x64, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x43, 0x68, 0x65, 0x63,
|
||||||
|
0x6b, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x04, 0x6d, 0x6f,
|
||||||
|
0x64, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x73, 0x63, 0x6f, 0x72, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
|
||||||
|
0x11, 0x52, 0x05, 0x73, 0x63, 0x6f, 0x72, 0x65, 0x22, 0x22, 0x0a, 0x04, 0x4d, 0x6f, 0x64, 0x65,
|
||||||
|
0x12, 0x0c, 0x0a, 0x08, 0x44, 0x49, 0x53, 0x41, 0x42, 0x4c, 0x45, 0x44, 0x10, 0x00, 0x12, 0x0c,
|
||||||
|
0x0a, 0x08, 0x45, 0x4e, 0x46, 0x4f, 0x52, 0x43, 0x45, 0x44, 0x10, 0x01, 0x22, 0xde, 0x01, 0x0a,
|
||||||
|
0x0f, 0x53, 0x63, 0x6f, 0x72, 0x65, 0x63, 0x61, 0x72, 0x64, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79,
|
||||||
|
0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28,
|
||||||
|
0x05, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x50, 0x0a, 0x08, 0x70, 0x6f,
|
||||||
|
0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x34, 0x2e, 0x6f,
|
||||||
|
0x73, 0x73, 0x66, 0x2e, 0x73, 0x63, 0x6f, 0x72, 0x65, 0x63, 0x61, 0x72, 0x64, 0x2e, 0x70, 0x6f,
|
||||||
|
0x6c, 0x69, 0x63, 0x79, 0x2e, 0x53, 0x63, 0x6f, 0x72, 0x65, 0x63, 0x61, 0x72, 0x64, 0x50, 0x6f,
|
||||||
|
0x6c, 0x69, 0x63, 0x79, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x45, 0x6e, 0x74,
|
||||||
|
0x72, 0x79, 0x52, 0x08, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x1a, 0x5f, 0x0a, 0x0d,
|
||||||
|
0x50, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a,
|
||||||
|
0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12,
|
||||||
|
0x38, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22,
|
||||||
|
0x2e, 0x6f, 0x73, 0x73, 0x66, 0x2e, 0x73, 0x63, 0x6f, 0x72, 0x65, 0x63, 0x61, 0x72, 0x64, 0x2e,
|
||||||
|
0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x50, 0x6f, 0x6c, 0x69,
|
||||||
|
0x63, 0x79, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x22, 0x5a,
|
||||||
|
0x20, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x73, 0x73, 0x66,
|
||||||
|
0x2f, 0x73, 0x63, 0x6f, 0x72, 0x65, 0x63, 0x61, 0x72, 0x64, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63,
|
||||||
|
0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
|
||||||
|
}
|
||||||
|
|
||||||
|
var (
|
||||||
|
file_policy_proto_rawDescOnce sync.Once
|
||||||
|
file_policy_proto_rawDescData = file_policy_proto_rawDesc
|
||||||
|
)
|
||||||
|
|
||||||
|
func file_policy_proto_rawDescGZIP() []byte {
|
||||||
|
file_policy_proto_rawDescOnce.Do(func() {
|
||||||
|
file_policy_proto_rawDescData = protoimpl.X.CompressGZIP(file_policy_proto_rawDescData)
|
||||||
|
})
|
||||||
|
return file_policy_proto_rawDescData
|
||||||
|
}
|
||||||
|
|
||||||
|
var file_policy_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
|
||||||
|
var file_policy_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
|
||||||
|
var file_policy_proto_goTypes = []interface{}{
|
||||||
|
(CheckPolicy_Mode)(0), // 0: ossf.scorecard.policy.CheckPolicy.Mode
|
||||||
|
(*CheckPolicy)(nil), // 1: ossf.scorecard.policy.CheckPolicy
|
||||||
|
(*ScorecardPolicy)(nil), // 2: ossf.scorecard.policy.ScorecardPolicy
|
||||||
|
nil, // 3: ossf.scorecard.policy.ScorecardPolicy.PoliciesEntry
|
||||||
|
}
|
||||||
|
var file_policy_proto_depIdxs = []int32{
|
||||||
|
0, // 0: ossf.scorecard.policy.CheckPolicy.mode:type_name -> ossf.scorecard.policy.CheckPolicy.Mode
|
||||||
|
3, // 1: ossf.scorecard.policy.ScorecardPolicy.policies:type_name -> ossf.scorecard.policy.ScorecardPolicy.PoliciesEntry
|
||||||
|
1, // 2: ossf.scorecard.policy.ScorecardPolicy.PoliciesEntry.value:type_name -> ossf.scorecard.policy.CheckPolicy
|
||||||
|
3, // [3:3] is the sub-list for method output_type
|
||||||
|
3, // [3:3] is the sub-list for method input_type
|
||||||
|
3, // [3:3] is the sub-list for extension type_name
|
||||||
|
3, // [3:3] is the sub-list for extension extendee
|
||||||
|
0, // [0:3] is the sub-list for field type_name
|
||||||
|
}
|
||||||
|
|
||||||
|
func init() { file_policy_proto_init() }
|
||||||
|
func file_policy_proto_init() {
|
||||||
|
if File_policy_proto != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if !protoimpl.UnsafeEnabled {
|
||||||
|
file_policy_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
|
||||||
|
switch v := v.(*CheckPolicy); i {
|
||||||
|
case 0:
|
||||||
|
return &v.state
|
||||||
|
case 1:
|
||||||
|
return &v.sizeCache
|
||||||
|
case 2:
|
||||||
|
return &v.unknownFields
|
||||||
|
default:
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
file_policy_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
|
||||||
|
switch v := v.(*ScorecardPolicy); i {
|
||||||
|
case 0:
|
||||||
|
return &v.state
|
||||||
|
case 1:
|
||||||
|
return &v.sizeCache
|
||||||
|
case 2:
|
||||||
|
return &v.unknownFields
|
||||||
|
default:
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
type x struct{}
|
||||||
|
out := protoimpl.TypeBuilder{
|
||||||
|
File: protoimpl.DescBuilder{
|
||||||
|
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
|
||||||
|
RawDescriptor: file_policy_proto_rawDesc,
|
||||||
|
NumEnums: 1,
|
||||||
|
NumMessages: 3,
|
||||||
|
NumExtensions: 0,
|
||||||
|
NumServices: 0,
|
||||||
|
},
|
||||||
|
GoTypes: file_policy_proto_goTypes,
|
||||||
|
DependencyIndexes: file_policy_proto_depIdxs,
|
||||||
|
EnumInfos: file_policy_proto_enumTypes,
|
||||||
|
MessageInfos: file_policy_proto_msgTypes,
|
||||||
|
}.Build()
|
||||||
|
File_policy_proto = out.File
|
||||||
|
file_policy_proto_rawDesc = nil
|
||||||
|
file_policy_proto_goTypes = nil
|
||||||
|
file_policy_proto_depIdxs = nil
|
||||||
|
}
|
36
policy/policy.proto
Normal file
36
policy/policy.proto
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
// Copyright 2021 Security Scorecard Authors
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
syntax = "proto3";
|
||||||
|
|
||||||
|
package ossf.scorecard.policy;
|
||||||
|
|
||||||
|
option go_package = "github.com/ossf/scorecard/policy";
|
||||||
|
|
||||||
|
message CheckPolicy {
|
||||||
|
|
||||||
|
// Mode definition.
|
||||||
|
enum Mode {
|
||||||
|
DISABLED = 0;
|
||||||
|
ENFORCED = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
Mode mode = 1;
|
||||||
|
sint32 score = 2;
|
||||||
|
}
|
||||||
|
|
||||||
|
message ScorecardPolicy {
|
||||||
|
int32 version = 1;
|
||||||
|
map<string, CheckPolicy> policies = 2;
|
||||||
|
}
|
133
policy/policy_test.go
Normal file
133
policy/policy_test.go
Normal file
@ -0,0 +1,133 @@
|
|||||||
|
// Copyright 2021 Security Scorecard Authors
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
package policy
|
||||||
|
|
||||||
|
import (
|
||||||
|
"errors"
|
||||||
|
"io/ioutil"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
sce "github.com/ossf/scorecard/v2/errors"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestPolicyRead(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
// nolint
|
||||||
|
tests := []struct {
|
||||||
|
err error
|
||||||
|
name string
|
||||||
|
filename string
|
||||||
|
result ScorecardPolicy
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
name: "correct",
|
||||||
|
filename: "./testdata/policy-ok.yaml",
|
||||||
|
err: nil,
|
||||||
|
result: ScorecardPolicy{
|
||||||
|
Version: 1,
|
||||||
|
Policies: map[string]*CheckPolicy{
|
||||||
|
"Token-Permissions": &CheckPolicy{
|
||||||
|
Score: 3,
|
||||||
|
Mode: CheckPolicy_DISABLED,
|
||||||
|
},
|
||||||
|
"Branch-Protection": &CheckPolicy{
|
||||||
|
Score: 5,
|
||||||
|
Mode: CheckPolicy_ENFORCED,
|
||||||
|
},
|
||||||
|
"Vulnerabilities": &CheckPolicy{
|
||||||
|
Score: 1,
|
||||||
|
Mode: CheckPolicy_ENFORCED,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "no score disabled",
|
||||||
|
filename: "./testdata/policy-no-score-disabled.yaml",
|
||||||
|
err: nil,
|
||||||
|
result: ScorecardPolicy{
|
||||||
|
Version: 1,
|
||||||
|
Policies: map[string]*CheckPolicy{
|
||||||
|
"Token-Permissions": &CheckPolicy{
|
||||||
|
Score: 0,
|
||||||
|
Mode: CheckPolicy_DISABLED,
|
||||||
|
},
|
||||||
|
"Branch-Protection": &CheckPolicy{
|
||||||
|
Score: 5,
|
||||||
|
Mode: CheckPolicy_ENFORCED,
|
||||||
|
},
|
||||||
|
"Vulnerabilities": &CheckPolicy{
|
||||||
|
Score: 1,
|
||||||
|
Mode: CheckPolicy_ENFORCED,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "invalid score - 0",
|
||||||
|
filename: "./testdata/policy-invalid-score-0.yaml",
|
||||||
|
err: sce.ErrScorecardInternal,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "invalid score + 10",
|
||||||
|
filename: "./testdata/policy-invalid-score-10.yaml",
|
||||||
|
err: sce.ErrScorecardInternal,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "invalid mode",
|
||||||
|
filename: "./testdata/policy-invalid-mode.yaml",
|
||||||
|
err: sce.ErrScorecardInternal,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "invalid check name",
|
||||||
|
filename: "./testdata/policy-invalid-check.yaml",
|
||||||
|
err: sce.ErrScorecardInternal,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "multiple check definitions",
|
||||||
|
filename: "./testdata/policy-multiple-defs.yaml",
|
||||||
|
err: sce.ErrScorecardInternal,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for i := range tests {
|
||||||
|
tt := &tests[i]
|
||||||
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
var content []byte
|
||||||
|
var err error
|
||||||
|
content, err = ioutil.ReadFile(tt.filename)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("cannot read file: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
p, err := ParseFromYAML(content)
|
||||||
|
|
||||||
|
if !errors.Is(err, tt.err) {
|
||||||
|
t.Fatalf("%s: expected %v, got %v", tt.name, tt.err, err)
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// Compare outputs only if the error is nil.
|
||||||
|
// TODO: compare objects.
|
||||||
|
if p.String() != tt.result.String() {
|
||||||
|
t.Fatalf("%s: invalid result", tt.name)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
19
policy/testdata/policy-invalid-check.yaml
vendored
Normal file
19
policy/testdata/policy-invalid-check.yaml
vendored
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
# Copyright 2021 Security Scorecard Authors
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this exe except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
version: 1
|
||||||
|
policies:
|
||||||
|
Unknown-Check:
|
||||||
|
score: 1
|
||||||
|
mode: disabled
|
19
policy/testdata/policy-invalid-mode.yaml
vendored
Normal file
19
policy/testdata/policy-invalid-mode.yaml
vendored
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
# Copyright 2021 Security Scorecard Authors
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this exe except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
version: 1
|
||||||
|
policies:
|
||||||
|
Token-Permissions:
|
||||||
|
score: 1
|
||||||
|
mode: unknown
|
19
policy/testdata/policy-invalid-score-0.yaml
vendored
Normal file
19
policy/testdata/policy-invalid-score-0.yaml
vendored
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
# Copyright 2021 Security Scorecard Authors
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this exe except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
version: 1
|
||||||
|
policies:
|
||||||
|
Token-Permissions:
|
||||||
|
score: -1
|
||||||
|
mode: disabled
|
19
policy/testdata/policy-invalid-score-10.yaml
vendored
Normal file
19
policy/testdata/policy-invalid-score-10.yaml
vendored
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
# Copyright 2021 Security Scorecard Authors
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this exe except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
version: 1
|
||||||
|
policies:
|
||||||
|
Token-Permissions:
|
||||||
|
score: 11
|
||||||
|
mode: disabled
|
29
policy/testdata/policy-multiple-defs.yaml
vendored
Normal file
29
policy/testdata/policy-multiple-defs.yaml
vendored
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
# Copyright 2021 Security Scorecard Authors
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this exe except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
version: 1
|
||||||
|
policies:
|
||||||
|
Token-Permissions:
|
||||||
|
score: 3
|
||||||
|
mode: disabled
|
||||||
|
Branch-Protection:
|
||||||
|
score: 5
|
||||||
|
mode: enforced
|
||||||
|
Vulnerabilities:
|
||||||
|
score: 1
|
||||||
|
mode: disabled
|
||||||
|
Token-Permissions:
|
||||||
|
score: 6
|
||||||
|
mode: enforced
|
||||||
|
|
25
policy/testdata/policy-no-score-disabled.yaml
vendored
Normal file
25
policy/testdata/policy-no-score-disabled.yaml
vendored
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
# Copyright 2021 Security Scorecard Authors
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this exe except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
version: 1
|
||||||
|
policies:
|
||||||
|
Token-Permissions:
|
||||||
|
mode: disabled
|
||||||
|
Branch-Protection:
|
||||||
|
score: 5
|
||||||
|
mode: enforced
|
||||||
|
Vulnerabilities:
|
||||||
|
score: 1
|
||||||
|
mode: enforced
|
||||||
|
|
26
policy/testdata/policy-ok.yaml
vendored
Normal file
26
policy/testdata/policy-ok.yaml
vendored
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
# Copyright 2021 Security Scorecard Authors
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this exe except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
version: 1
|
||||||
|
policies:
|
||||||
|
Token-Permissions:
|
||||||
|
score: 3
|
||||||
|
mode: disabled
|
||||||
|
Branch-Protection:
|
||||||
|
score: 5
|
||||||
|
mode: enforced
|
||||||
|
Vulnerabilities:
|
||||||
|
score: 1
|
||||||
|
mode: enforced
|
||||||
|
|
Loading…
Reference in New Issue
Block a user